Note: I was awarded a $750 reward for the same vulnerability reported to company and so this issue is really serious to fix.
Summary:
Your OAuth 2.0 authorization flow for public clients is not using PKCE (Proof Key for Code Exchange). This leaves the authorization code vulnerable to interception attacks, which can result in account takeover (ATO).
Vulnerability Details:
Issue: Missing PKCE in OAuth flow for public clients
Impact: Authorization Code Interception → Account Takeover
Affected Components: OAuth login
Steps to Reproduce:
- Start the google OAuth login flow from Omi AI android app.
- Observe the authorization request:
- There is no code_challenge or code_challenge_method parameter present in the request.
- Intercept the redirect containing the authorization code.
- Exchange the intercepted code manually using the app’s client_id and redirect_uri.
- This successfully returns valid OAuth tokens, giving full access to the victim’s account.
Impact:
An attacker with the ability to intercept the authorization code (via a malicious app, compromised network, or open redirect) can bypass user authentication and gain complete control of the victim’s account.
PKCE is specifically designed to mitigate this type of attack in public clients that cannot securely store a client_secret.
Severity:
High – Enables potential Account Takeover of users authenticating via OAuth.
Note: I was awarded a $750 reward for the same vulnerability reported to company and so this issue is really serious to fix.
Summary:
Your OAuth 2.0 authorization flow for public clients is not using PKCE (Proof Key for Code Exchange). This leaves the authorization code vulnerable to interception attacks, which can result in account takeover (ATO).
Vulnerability Details:
Issue: Missing PKCE in OAuth flow for public clients
Impact: Authorization Code Interception → Account Takeover
Affected Components: OAuth login
Steps to Reproduce:
Impact:
An attacker with the ability to intercept the authorization code (via a malicious app, compromised network, or open redirect) can bypass user authentication and gain complete control of the victim’s account.
PKCE is specifically designed to mitigate this type of attack in public clients that cannot securely store a client_secret.
Severity:
High – Enables potential Account Takeover of users authenticating via OAuth.